PT-2025-3194 · Zulip · Zulip Server
Alexmv
·
Published
2025-01-16
·
Updated
2025-08-27
·
CVE-2024-56136
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Zulip Server versions 7.0 through 9.3
Description
The issue concerns an information disclosure attack where an unauthenticated user can determine if an email address is in use by a user on a Zulip server hosting multiple organizations. There are no known workarounds for this issue.
Recommendations
For Zulip Server versions 7.0 through 9.3, upgrade to Zulip Server 9.4 or switch to the
main branch of Zulip Server to resolve the issue.
At the moment, there is no other information about additional mitigation measures.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zulip Server